Flash Security Is Critical for Flash Applications
Flash is a multimedia platform developed by Adobe that is commonly used for videos, animations, games and more. Flash was originally released in 1996 and has since become an extremely popular media platform. In more recent years, there has been concern in the tech community over Flash security, Flash malware and Flash vulnerability risks.
Flash has a long record of critical security updates aimed at patching Flash vulnerabilities and Flash malware, but these issues continue to surface as more Flash security issues are discovered. The site CVE Details reports on the Flash vulnerabilities found. The most common Flash security vulnerabilities include executable code, denial-of-service, overflow and Cross-Site Scripting. These issues have resulted in many security experts advising against installing Flash or suggesting that internet users employ tools to block Flash. The site gives additional Adobe Flash Player details and documents CVE security vulnerabilities, versions and detailed reports.
The charts below from cvedetails.com detail Flash vulnerability statistics for all versions of Flash. Vulnerability statistics provide a quick overview for security vulnerabilities of Flash Player.
Flash Security Settings
Flash users have the ability to change Flash Player security settings. Changing Flash Player security settings requires access to Adobe’s Flash Player Settings Manager, available on the Adobe site. The Settings Manager features six tabs: Global Privacy Settings, Global Storage Settings, Global Security Settings, Global Notification Settings, Website Privacy Settings and Website Storage Settings. It is recommended that Flash users adjust these tabs to their desired level of security before running any Flash applications. A good starting place would be setting all security preferences to “always ask” so that users are prompted before a Flash application can make changes to their computers.
The Flash Security Sandbox Model
Flash Player security follows a sandbox security model. This means that files and other data gathered by the Flash Player are sorted in isolated security sets called sandboxes. Sandboxes are classified by domain of origin for data and have varying security settings depending on data sources. Each Flash security sandbox is controlled by its own stakeholders, including user institution administrators, users, website administrators and authors. User institution administrators have the most security privileges, and authors have the most security restrictions. Access from sandbox to sandbox is restricted by stakeholder permission settings.
Developing Secure Flash Applications
This section provides a brief overview of the threats developers should keep in mind when building Flash applications. Developers of Flash applications need to keep the following in mind:
- Flash Player security settings
- Cross-domain privilege escalation
- Flash vulnerabilities
- Cross-Site Request Forgery
- Flash global security
- Malicious data injection
- Script injection into the browser
- Insufficient authorization restrictions
- Unauthorized access to data in transit
- Unauthorized local data access
- DNS rebinding
Setting Flash Player Security Controls Within HTML
Along with writing secure Flash code, developers need to be aware of permission settings within HTML that control access to content either from the browser or on the network. These settings can be used when a site is linking to untrusted Flash applications.
- always: The SWF file is completely trusted to communicate with the browser regardless of the domain used to load it.
- sameDomain: If the SWF and the hosting HTML page are located within the same domain, then they may communicate with each other.
Advanced Data Analysis to Find Hidden Flash Security Issues
Veracode's web-based Flash Security scanning analyzes the data and content of information presented by the application in order to find hidden Flash Security issues that are missed by other products. Veracode looks "inside" of directories, debug code, leftover source code and resource files to find hidden username/passwords, SQL strings, ODBC connectors and other sensitive information that hackers can exploit to gain unauthorized access to your application.
Security Tutorials From Veracode
Veracode Security Solutions
Veracode Data Security Resources
Written by: Neil DuPaul